Carriers are denying coverage — and claims — over missing MFA, untested backups, and stale risk assessments. Here's what every question on the form actually requires.
If your organization carries cyber insurance — and if you hold donor data, client records, or student files, you should — your next renewal packet is going to look different. Shorter grace, longer questionnaire, harder questions.
Five years ago, carriers asked whether you had antivirus. Today they ask who monitors your endpoints overnight, when your backups were last restored (not just run), and for the date of your most recent security risk assessment. These aren't formalities. Answer wrong and premiums jump; answer inaccurately and a claim can be denied after an incident — exactly when you need it most.
Wording varies by carrier, but the substance doesn't. Before your renewal lands, you should be able to answer yes — honestly and with documentation — to each of these:
In our assessments across McHenry and Lake Counties, the same three gaps appear again and again. The first is MFA coverage that's partial — turned on for email but not for the remote desktop connection a part-time bookkeeper uses. The second is backups nobody has restored; a backup that has never been tested is a hope, not a control. The third is the missing risk assessment — the single document that ties the rest together, and for HIPAA-covered organizations, a regulatory requirement in its own right.
Our clients answer these questionnaires from a standing document set: MFA enforced tenant-wide, managed detection watching every endpoint around the clock, backups verified monthly, training logged, and a risk assessment refreshed annually. The renewal takes an afternoon, not a scramble.
Pull last year's questionnaire out now — months before renewal — and audit yourself against it. Every "no" or "not sure" is a project with a deadline. If you'd like a second set of eyes, our free security assessment maps directly to these eight questions.
Cyber insurance is becoming the de facto security standard for small organizations: the carrier's checklist is doing what regulators never quite managed. Treat the questionnaire as a gift — a free, prioritized to-do list — and you'll be more secure whether or not you ever file a claim.
Our free IT security assessment gives your leadership a plain-English report on your risks, your compliance gaps, and exactly what it would cost to fix them. No obligation, no jargon.